Focused on all things related to learning, performance and organisational productivity,
and to the 70:20:10 model.

All content and opinions are my own.

Wednesday, 15 August 2012

Compliance Training: does it really work?

Until relatively recently I’d bought into the argument that organising regulatory and compliance training is one of the important and necessary tasks for an L&D department.

Virtually every organisation has regulatory and compliance requirements it needs to meet. In highly regulated industries even more so.

So it seemed sensible then that part of the obligation should fall on L&D to train employees to understand what’s expected of them to be compliant in their work.

However in light of experience I’ve come to ask myself whether compliance training has any real effect at all. Or is it mainly a waste of time, effort and the (vast amount) of money spent on it?

The answers I’ve found have been quite enlightening.

One way in which compliance training works

Compliance training undoubtedly works in one way. That is to ensure the right ‘boxes are ticked’ should something go awry. Rather as support for the ‘we followed orders’ defence. This is often the situation found in the wake of some non-compliant act that had led to an unwanted occurrence. The question as to whether the organisation has followed statutory or relevant professional body compliance training guidelines is often the first one raised. Organisations produce their records of compliance training to be used as part of the defence.

In other words compliance training is useful as a back-stop to help avoid financial sanctions and, at worst, the CEO or Chairman ending up in front of a jury and possibly in prison (in the past a number have). Sometimes this ‘defensive compliance’ strategy works. Increasingly it doesn’t.

But does it actually improve compliance and lower the number of non-compliant acts?

The evidence

Certainly the evidence seems to indicate that the related domain of diversity training has little or no effect. Peter Bregman’s March 2012 article on the Harvard Business Review certainly states the case that diversity training doesn't extinguish prejudice. In fact, it promotes it. Bregman cites a study of 829 companies over 31 years that showed diversity training had "no positive effects in the average workplace."

If diversity training has no impact, or even negative impact, is compliance training in the same boat? If so, what are the alternatives?

A study by Yassi, Bryce, Maultsaid, Lauscher, and Zhao in the Canadian healthcare service showed that requiring completion of an online compliance module, rather than simply encouraging completion and allowing voluntary access, generated a higher intention to comply. So this might suggest that mandatory compliance training is a good thing. But the difference was simply in the intention to comply, rather than compliance itself.

On the other hand Jeff Kaplan, a US lawyer and national expert in compliance and ethics, reports major problems with compliance training, especially online training. Kaplan found:

“An employee of a global company recently told me “In Europe, people pay their children to click through it” and at another company the phrase “mind numbing” was used to describe such training. (Indeed, a lawyer whose full-time job had been developing on-line Compliance and Ethics training recently told me he doubted its efficacy.) And, not infrequently, in-person training is criticized as well.”

Kaplan goes on to say:

“None of this should be surprising. From a design perspective, training is often created in an utterly wholesale manner, so that, for instance, salespeople, those in finance and senior managers are all being given the same FCPA training even though their risks and responsibilities differ significantly. Perhaps worse, from a deployment perspective, training is often disconnected from risk-causing events or other contexts in which Compliance & Ethics messages could be more effectively conveyed.”

There’s also another set of fundamental problems I’ll discuss below. But before getting into those, it’s worth thinking about environments where compliance is seen to be critical – in highly regulated industries.

Highly Regulated. Highly Compliant?

Even in the recent past our press reports have been littered with highly regulated industries behaving in absolutely non-compliant ways on a huge scale. Just this week Standard Chartered Bank has agreed to pay a $340m fine for its alleged breaches of US sanctions that US regulators claimed left the financial system vulnerable to corrupt regimes and weapons and drug dealers. And there may be more sanctions and fines still to come for Standard Chartered.

Before Standard Chartered came Barclays (‘Barclays had a culture of gaming – and of gaming us’ said Andrew Bailey, the top banking regulator at the UK Financial Services Authority). Along with HSBC and others with their manipulation of the LIBOR rates. A damning report by the US Senate concluded that HSBC had a “pervasively polluted” culture, and that the bank’s Head of Compliance warned the CEO of non-compliant activities, but Lord Green, the then-CEO, took no action.

In July the economist David Blanchflower declared that in the wake of the interest rate fixing scandal “there are no longer any UK bankers who are credible candidates to become the next Governor of the Bank of England.”

And it’s not just the banking industry.

There’s the Energy industry, with the disaster and fines encountered by BP and its sub-contractors in the Deepwater Horizon spill. The death of 11 men and extensive damage to marine and wildlife is simply another example of disasters resulting from non-compliance in what is supposed to be a highly regulated industry.

The report on the causes of the spill by the White House Oil Spill Commission blamed BP and its partners for making a series of cost-cutting decisions and the lack of a system to ensure well safety. The Commission also concluded the spill was not an isolated incident caused by "rogue industry or government officials", but that "the root causes are systemic and, absent significant reform in both industry practices and government policies, might well recur".

BP set up a $20billion compensation fund which has had more than one million claims to date, with more still coming in.

The pharmaceutical industry, another one where regulation and compliance is held as paramount on every executives’ lips, has its share of high-impact non-compliance incidents. Just last month GlaxoSmithKline was instructed to pay $3bn in the largest healthcare fraud settlement in US history. GSK pleaded guilty to promoting drugs for unapproved uses and failing to report safety data to the Food and Drug Administration. Does GSK have a comprehensive programme of compliance training? You bet it does.

The list of non-compliance incidents in highly regulated industries could go on almost ad infinitum.

Non-compliance is equally rife in not so regulated industries. It’s hardly worth starting on issues encountered in the media industry, in Mr Murdoch’s empire and elsewhere.

But what does all this tell us?

Just a waste of time, effort and money?

Actually, it tells us a lot. It gets to the heart of of what effective compliance training and approaches should be all about.

In his HBR article Jeff Kaplan reported a study that found the ‘decoupling of compliance training from sales activities’ in financial services firms was at the heart of many of the problems and was seen as having contributed to the misconduct at issue.

We need to step back from the standard knee-jerk response that compliance training is a necessary and effective way (and often the only way) of improving levels of compliance, and that there is no alternative open to us. There seems to be little evidence to support the link between compliant behaviour and current standard compliance training approaches. In fact some of the evidence indicates the contra-argument.

In other words it is likely that most of the time, effort and money spent on compliance training is simply being wasted. At best it’s a security blanket. At worst it promotes non-compliant behaviour. Even paper-waving training records in front of judges and national commissions no longer holds much sway.

Existing evidence points to a situation where most companies would be better off simply ditching their existing compliance training efforts wherever they can, and making mandatory training as fast and simple as possible. Maybe even encouraging the behaviours Jeff Kaplan reports above – getting children to click through the training to get a tick in the LMS box with as little thought and effort as possible.

So, is there a better way?

Effective compliance training

There is, and it involves something other than running endless compliance training courses.

First we need to start thinking about ways in which compliant behaviour is best encouraged.

The main objective for any organisational learning is to engender behaviour change. After all what is ‘learning’ if it isn’t changing and adapting behaviour to achieve different and, hopefully, better outcomes of action? Many seem to have forgotten this when they think about compliance challenges. When dealing with compliance training often the process becomes more important than the results, and training becomes the only club in the bag to deliver the process.

If training is to be used, it should be focused on changing behaviours. Testing short-term recall following some compliance training event won’t do that no matter what the regulatory bodies who define the ‘compliance curriculum’ say. We need a different approach.

Compliance training needs to be top-down

There seems to be a common thread that runs through almost all high-profile compliance catastrophes. It is that the top-tier executives and middle managers in the organisations simply didn’t model the behaviours that would lead to a culture of compliance.

Take perceived value of employees. If you’re working in an organisation where the CEO is being paid many $millions and where the differential between top executive remuneration and bottom-tier worker pay is huge, why would you expect a culture of compliance to exist? Humans don’t work that way.

If you’re driven by extremely challenging targets and eye-watering potential rewards if you deliver value and profit for your organisation no matter what, why should your organisation expect you to be 100% compliant? If you can cut corners it’s likely that you will. Humans often work that way.

What about where employee treatment is differentiated on rigid hierarchical lines – where ‘masters of the universe’ rule, or where there is a culture of ‘it’s OK to say one thing and do another’? If people see their leaders as ‘different’ and disengaged from them they themselves are less likely to be engaged with the organisation. Less engaged workers are less likely to be compliant with standards and regulations. That goes for senior as well as junior team members.

Organisations where leaders model the compliant behaviours they would like to see across the workforce are far more likely to display those behaviours across all levels.

Take the John Lewis Partnership in the UK, for example. This is an organisation that’s been built on the concept of fairness. ‘Never knowingly undersold’ is one credo that John Lewis has lived by since 1925. But behind that is a successful employee-owned business. More than 28% of stock ‘shrinkage’ in UK retail is due to internal theft – employees taking things. At John Lewis employees are ‘partners’ and own a share in the company. Even if you’re simply stacking the shelves you share a common goal with the company to safeguard profit. Low levels of internal theft are the result at John Lewis. Far below the average for the retail sector as a whole. I recall a John Lewis employee speaking about a colleague who had been discovered removing items from the Shepherd’s Bush, London, store. Her view was that the colleague was ‘stealing from us all’ and the policy of instant dismissal, with all shares and other benefits removed, should be enacted forthwith. ‘We don’t do that stuff around here’ she said.

This view is common across the John Lewis partnership. Employees are engaged, so they value compliant behaviours, and will speak up when they see others being non-compliant.

In the recent banking scandals, even senior managers didn’t speak up when they knew about non-compliant behaviour. No amount of compliance training will change that.

So where does this leave compliance training?

It certainly doesn’t mean compliance training isn't necessary at all. But it does mean that it’s likely to be far removed from the vast majority which currently exists, and that much of the future activity and focus to improve compliance won’t be through ‘training’.

Firstly, any formal compliance training should be led by senior managers and actively supported by executives. Not simply by leaders issuing homilies from afar, but by them ‘walking the walk’ and ‘talking the talk’. By modelling compliant behaviour themselves. By ensuring that everyone understands that employee fairness and ‘doing the right thing’ is at the core of their organisations. By ensuring that fairness is demonstrated across their workforces. Not by employees being told that’s the case, but by them seeing it with their own eyes.

Together with any formal training, at the top of every executive and manager’s priorities should be the encouragement and participation in awareness-raising about compliance and expected behaviours. If it isn’t then they shouldn’t be surprised to find non-compliance rife no matter how many compliance training programmes employees have been compelled to attend or complete.

The implications

As Ross Dawson points out in his ‘12 Themes for 2012’, reputations are more visible and vulnerable than ever before. We all know that. Reputations can and will be trashed in moments, especially with the increased pervasiveness of social media as a way for individuals to get a hearing. The era where the powerful controlled the distribution of information is well and truly over. Organisations large and small will increasingly have their innermost secrets washed in public. Organisations that behave badly will be exposed. Compliant behaviour will become even more critical for survival for many organisations. And non-compliant behaviour will become ever more difficult to brush under the carpet.

So, we’d better get our approaches to compliance right. Some training may be needed, but it will never be sufficient.

To give Jeff Kaplan the last word on the training element:

What, then, will the future of Compliance & Ethics training and other communications look like? Very possibly, the “same as it ever was” – because many companies simply do not push for excellence and innovation in Compliance & Ethics program matters (the way they do for corporate functions more traditionally seen as mission critical, such as sales). Indeed, it is not only businesses actively engaged in bribery that pursue Compliance & Ethics “half measures.”

“But for organizations with a dynamic – and truly risk-focused – view of Compliance & Ethics programs, the path is clear: training should be developed in a far more granular way than it currently is and deployed when, where and how it can make the most difference. After all, if Compliance & Ethics risks can evolve – which they do all the time – so can training.”

12 comments:

It seems to me that there is still a crucial role to check that people know regulations - training newcomers and training existing people on new regulations and checking (via well designed assessments or otherwise) that people know and understand regulations.

Some of the scandals/fines seem to have arisen from some parts of an organization not knowing that certain behavior breaks regulations. So a granular approach to training/checking understanding of regulations appropriate for each employee seems an important part of compliance training.

But yes it should be risk driven, and no it should not be mindless click through. Scenario questions that present realistic situations and ask for answers can be a good way of checking whether people know and can apply regulations for instance. (Questions that if you pay your kids to answer, they'll find it tricky!)

John, I agree that it's important for people to know regulations (or know where to find them or who will give them an accurate view when needed).

So there is a role for some training, but we're fooling ourselves if we think that compliance training courses which simply provide a data/information dump, and are then followed up with an assessment of retention and understanding immediately post-training is all that's needed.

That may help keep the CEO out of jail (although less so now than a few years ago), but it won't do much (if anything at all) for engendering a culture of compliance and compliant behaviours. The research I cited above seems to say that it's as likely to reduce compliance as increase it. We require a whole new way of looking at the challenge of compliance in organisations.

I’m glad you see you zeroed in on leadership. In my experience there are only two reasons for poor performance, 1. poor training, 2. poor leadership. Of course the root cause of poor training is poor leadership so that narrows things down nicely. However I wanted to remind people about the history or compliance training.

I think many have forgotten or never known what shaky learning foundations our current compliance training is built on. We are following a development and delivery format that was specifically designed with ass covering as its primary goal. It was adopted when Safety training was first imposed on industry by government. I’m not sure about the UK but I suspect things were not much different then in Canada. Even now it is hard to develop a strong safety culture, try to remember how much resistance there was 20 years ago from employees and employers alike. No one thought or believed the training was of any value to start with, we offered it because we were told to and we tracked it to prove the workers had been “told”. This is much the same way requiting policies evolved. The only institutions with long standing testing and entry requirements were organizations like fire fighters, police departments and the freemasons. These were the model for corporate requiting policies but of course these methods were specifically designed to discourage applicants so that only the truly persistent, dedicated or down right stubborn managed to stick it out long enough to get hired. Like compliance training, this kind of outdated methodology is of no use whatsoever in the modern business world.

Yet as we changed our minds, cultures and behaviors and accepted workplace safety as a real priority we never changed the “Comply with Compliance” based approach to development and delivery. It’s no secret that in order to properly train people we have to stop feeding them information with a fire hose then testing short term memory. Is the goal to have our people actually compliant, knowing what they need to know, or the illusion of compliance? i.e. all the boxes ticked in everything we might need to prove someday they should have known. Getting the word out that no one’s ass is actually covered regardless of how many boxes are ticked my be critical to getting HR, corporate leadership and LD Leaders to stop resisting the restructuring of compliance training. We have mastered the illusion of compliance, now we should be able see it for what it is, point out the elephant in the room and try an effective approach.

Charles, thanks for a well-researched and well presented piece. There’s no doubt that compliance training is too often used – as you say – to keep the CEO out of jail. If this is the case, then we need a shift in the company culture, rather than another training course (even though as you say training still has a role to play). But what role, if any, do you think L&D has in stimulating this change?

After working in highly regulated industries for over 30 years, compliance was always found to be an issue.

Particularly with highly skilled and trained individuals where the common view was, you pay me well for my skills and knowledge, so I will do it the way I see fit. This was more prevalent as legislation and regulation changed, and did not fall in line with the culture and the way we always did things.

Great article Charles. I've long held the belief that compliance is not a training problem and recently had the opportunity to prove it.

Working at a large Australian bank that had an existing problem with staff not opening accounts in compliance with regulatory requirements,the answer from the internal Risk Group was training. Lots of it. Regular, expensive remedial training. The problem was that the training wouldn't 'stick' and staff returned to old work habits - what they knew - and the compliance issues recurred. It was a failing and expensive cycle.

My answer was to build compliance into the process itself and provide just-in-time, contextual on the job support by way of a solution called SupportPoint from Panviva. At the click of a button staff now had ready access to the right way to do work. There were no excuses for getting it wrong. Behaviours were reinforced through management directives to use SupportPoint if staff were unsure of what to do. Compliance breaches decreased and so did the associated risks.

The point of this isn't about the particular tool being used, although SupportPoint is a very good tool, it is to point out that issues of process compliance can be largely overcome by providing support where and when it's needed. Formal training simply can't do that. Ticking boxes doesn't make people compliant. Performance on the job does. Let's help people perform.

enjoyed reading your article, I agree that " Compliance training is essential in organizations to ensure that ethical business practices are followed throughout the organization and also to ensure better workplace culture..

Compliance courses can be made interesting by including scenarios and interactivities which manage to retain the attention of learners thereby ensuring effective knowledge transfer at the workplace. Compliance training should be held regularly, so as to update employees whenever there is a new policy. Training managers in consultation with the legal department can finalize the courses based on real requirements. E-learning could be considered as a viable option when compliance training needs to be rolled out throughout the enterprise which is spread across various geographical locations.... I wrote a blog on "Comply with Regulations’ – Why Use eLearning to Convey this Message", i invite you to read my blog and would appreciate your comments on the samehttp://bit.ly/VhSor2

Thanks for the article, it is really nice, Compliance Training is seen as an important means to attain the inadequate to effective corporate governance.When part of a broader operational governance strategy, GRC practices ensure continuous oversight and help businesses strike the right balance between cost optimization, risk management, and capacity for innovation

Compliance training undoubtedly works in one way. That is to ensure the right ‘boxes are ticked’ should something go awry. Rather as support for the ‘we followed orders’ defence. This is often the situation found in the wake of some non-compliant act that had led to an unwanted occurrence.

About Me

Member of the Internet Time Alliance and Co-founder of the 70:20:10 Institute, Charles Jennings is a leading thinker and practitioner in learning, development and performance.
All articles, content and opinions here are his own.

Copyright

All content on this site is published under the Creative Commons: Attribution – Non-Commercial – Share Alike License except where specifically stated.
This blog does not accept any form of advertising, sponsorship, or paid insertions. I write for my own purposes. However, I may be influenced by my background, occupation or experience.
The owner of this blog is not compensated to provide opinion on products, services, websites and various other topics. The views and opinions expressed on this blog are purely the blog owners. If I claim or appear to be expert on a certain topic or product or service area, I will only endorse products or services that I believe, based on my expertise, are worthy of such endorsement.
This blog does not contain any content which might present a conflict of interest.
For policy see: http://www.disclosurepolicy.org